Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-12-2024
11:47 PM
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading i...
See more...
Hi you could write “multi line” searches separated by | on one line. In normal situation there is no mater have you written SPL in one line or formatting it to several lines. It’s just for reading it easier. You could also write your query as a report and then call it with savedsearch your report via rest. r. Ismo
04-12-2024
11:41 PM
1 Karma
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you mu...
See more...
Hi it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf. As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes. IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries. r. Ismo
04-12-2024
11:36 PM
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? Th...
See more...
Are you able to generate the some_example_generated_file.csv.gz file from running the search in the Splunk webUI as the user whose credentials or token is being used to authorize the API request? There should be no problem running searches with piped segments using curl and the search api endpoints. Though you may have to tweak the character encoding in the search query. I recommend trying it segment-by-segment to see if it generates the expected results.
04-12-2024
11:28 PM
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Docum...
See more...
Hi If query takes long, then maybe you should look if you should use time() instead of now()? 1st gives you current time and 2nd is time when query has started. r. Ismo http://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/DateandTimeFunctions
04-12-2024
11:17 PM
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplu...
See more...
@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048 "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -text "D:\Splunk\bin\splunk" cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem web.conf [settings]
enableSplunkWebSSL = true
privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key
serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem
04-12-2024
10:50 PM
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a ...
See more...
Hi @uagraw01 , The connection is using a self signed certificate. So, if the website doesn’t have a thir party certificate, the “HTTPS Not Secure” Message in Chrome will appear, even if you have a certificate. You can solve the issue using a third party certificate or enabling your browser to recognize this certificate as well. Ciao. Giuseppe
04-12-2024
10:30 PM
@gcusello I did it already but the connection not secure. I want to make connection secure as well.
04-12-2024
10:22 PM
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex...
See more...
Hi @Jasmine , as @marnall said a space is missing between the index value and the source condition. I suppose that the erro is that the argument of the match function in the eval command is a regex, so you don't need to use asterisk: index=aaa (source="/var/log/testd.log")
| stats count by host
| eval env=case(
match(host, "10qe"), "Test",
match(host, "10qe"), "QA",
match(host, "10qe"), "Prod") Ciao. Giuseppe
04-12-2024
10:17 PM
Hi @vishwa you can use eval (https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandOverview) or addtotal (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/A...
See more...
Hi @vishwa you can use eval (https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandOverview) or addtotal (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Addtotals), something like this: index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
| chart count over RampdataSet by Message
| eval Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP"
| table "Initial message received with below details" Total Ciao. Giuseppe
04-12-2024
10:13 PM
Hi @uagraw01, this is the procedure to generate a certificate or to add an external certificate, but you have also to enable the https on web and you can do it in [Settings > Server Settings > gener...
See more...
Hi @uagraw01, this is the procedure to generate a certificate or to add an external certificate, but you have also to enable the https on web and you can do it in [Settings > Server Settings > general Settings]. If you want to use a self signed certificate, you don't need to create a new one because Splunk uses its own certificate for the internal management communications; you need only to enable https connection as I described. Ciao. Giuseppe
04-12-2024
10:08 PM
Hi @Satyapv, you can use eval to categorize your data: <your_search>
| eval period=case(
_time>now()-300,"Last 5min Vol",
_time>now()-600,"Last 10min Vol",
_time>now()-900,"Last 15min Vol"...
See more...
Hi @Satyapv, you can use eval to categorize your data: <your_search>
| eval period=case(
_time>now()-300,"Last 5min Vol",
_time>now()-600,"Last 10min Vol",
_time>now()-900,"Last 15min Vol")
| chart count OVER Transaction BY period Ciao. Giuseppe
04-12-2024
09:50 PM
I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct: "I want to use syslog-ng to input data from the u...
See more...
I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct: "I want to use syslog-ng to input data from the universal forwarder to my search head I'm going to use TCP but I don't know what's wrong and I can't display my data in the search header " your syslog-ng seems to be receiving syslog data on port 514 and then delivering the data to 10001/10002 TCP depending on the source IP while doing some transformation. Is 10001 and 10002 where your search heads are? Or are those ports opened by UF? Usually the easiest way to send syslog data to Splunk is by using HEC (HTTP Event Collector), and if you were using that you can simply assign host/source/sourcetype to a specific log message, no need to use separate ports. Also, you are manually getting rid of the priority header (e.g. removing <NNN> in the front), but that would be taken care of by the actual syslog parser in syslog-ng that you disabled via flags(no-parse).
04-12-2024
09:42 PM
Hi Team,
I need to extract the values of the fields where it has multiple values. So, I used commands like mvzip, mvexpand, mvindex and eval. However the output of my spl query is not matching with...
See more...
Hi Team,
I need to extract the values of the fields where it has multiple values. So, I used commands like mvzip, mvexpand, mvindex and eval. However the output of my spl query is not matching with the count of the interesting field. Could you please assist on this? Here is my SPL query and output screenshots below.
index="xxx" sourcetype="xxx" source=xxx events{}.application="xxx" userExperienceScore=FRUSTRATED
| rename userActions{}.application as Application, userActions{}.name as Action, userActions{}.targetUrl as Target_URL, userActions{}.duration as Duration, userActions{}.type as User_Action_Type, userActions{}.apdexCategory as useractions_experience_score
| eval x=mvzip(mvzip(Application,Action),Target_URL), y=mvzip(mvzip(Duration,User_Action_Type),useractions_experience_score)
| mvexpand x
| mvexpand y
| dedup x
| eval x=split(x,","), y=split(y,",")
| eval Application=mvindex(x,0), Action=mvindex(x,1), Target_URL=mvindex(x,2), Duration=mvindex(y,0), User_Action_Type=mvindex(y,1), useractions_experience_score=mvindex(y,2)
| eval Duration_in_Mins=Duration/60000
| eval Duration_in_Mins=round(Duration_in_Mins,2)
| table _time, Application, Action, Target_URL,Duration_in_Mins,User_Action_Type,useractions_experience_score
| sort - _time
| search useractions_experience_score=FRUSTRATED
| search Application="*"
| search Action="*"
Query Output with the statistics count:
Expected Count:
04-12-2024
09:19 PM
Hello All, I want to build a splunk query using stats to get count of messages for last 5 min, last 10min and last 15min.Something like below. Kindly let me know how below can be achieved? T...
See more...
Hello All, I want to build a splunk query using stats to get count of messages for last 5 min, last 10min and last 15min.Something like below. Kindly let me know how below can be achieved? Transaction Last 5min Vol Last 10min Vol Last 15min Vol A B C
04-12-2024
09:18 PM
Hi @ITWhisperer , Could you please provide an update on this request? Thank you,
04-12-2024
09:04 PM
so we cannot load index dynamically from log files, correct?
04-12-2024
08:41 PM
Hello Splunkers!! I want to work Splunk on https. I am using windows server. How to generate certificate in Splunk and Trustore in some easy steps available? I followed below document but not givi...
See more...
Hello Splunkers!! I want to work Splunk on https. I am using windows server. How to generate certificate in Splunk and Trustore in some easy steps available? I followed below document but not giving any good results. https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/Howtoself-signcertificates
Labels
- Labels:
-
SSL
04-12-2024
06:52 PM
index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to AT...
See more...
index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
| chart count over RampdataSet by Message OUTPUT: RampdataSet Initial message received with below details Letter published correctley to ATM subject Letter published correctley to DMM subject Letter rejected due to: DOUBLE_KEY Letter rejected due to: UNVALID_LOG Letter rejected due to: UNVALID_DATA_APP WAC 10 0 0 10 0 10 WAX 30 15 15 60 15 60 WAM 22 20 20 62 20 62 STC 33 12 12 57 12 57 STX 66 30 0 96 0 96 OTP 20 10 0 30 0 30 TTC 0 5 0 5 0 5 TAN 0 7 0 7 0 7 But we want output as shown below: Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP" |table "Initial message received with below details" Total RampdataSet Initial message received with below details Total WAC 10 20 WAX 30 165 WAM 22 184 STC 33 150 STX 66 222 OTP 20 70 TTC 0 15 TAN 0 21
Labels
- Labels:
-
field extraction
04-12-2024
05:55 PM
@bowesmana , thank you for ur inputs. We created queries according to our data working now. Thank you once again.
